refactor: update ssh module to use networking namespace

feat(config): set lanzaboote configurationLimit to 10
refactor(config): standardize secret names for API keys
2026-06-21 03:36:32 +05:30 · 2026-05-08 07:22:18 +05:30 · 2026-05-08 05:31:54 +05:30 · 2026-05-08 05:31:18 +05:30 · 2026-05-08 05:14:03 +05:30 · 2026-05-08 05:09:38 +05:30
9 changed files with 271 additions and 78 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -97,6 +97,21 @@
        "url": "https://codeberg.org/LGFae/awww"
      }
    },
+    "crane": {
+      "locked": {
+        "lastModified": 1765145449,
+        "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat_2",
@@ -186,6 +201,22 @@
      }
    },
    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
      "locked": {
        "lastModified": 1733328505,
        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
@@ -199,7 +230,7 @@
        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
      }
    },
-    "flake-compat_5": {
+    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -349,6 +380,28 @@
        "type": "github"
      }
    },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "harfbuzz": {
      "flake": false,
      "locked": {
@@ -779,6 +832,28 @@
        "type": "github"
      }
    },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": "nixpkgs_6",
+        "pre-commit": "pre-commit",
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "lastModified": 1765382359,
+        "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.0.0",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
    "libpng": {
      "flake": false,
      "locked": {
@@ -820,9 +895,9 @@
    },
    "nixcord": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_5",
        "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_7",
        "nixpkgs-nixcord": "nixpkgs-nixcord"
      },
      "locked": {
@@ -934,6 +1009,22 @@
      }
    },
    "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1777918403,
+        "narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "afc5551119aae6eab73a95c1960891cfe63204f6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_11": {
      "locked": {
        "lastModified": 1770107345,
        "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=",
@@ -1014,6 +1105,22 @@
      }
    },
    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1764950072,
+        "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f61125a668a320878494449750330ca58b78c557",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1777428379,
        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -1029,7 +1136,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1777578337,
        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
@@ -1045,7 +1152,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
      "locked": {
        "lastModified": 1777954456,
        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
@@ -1061,26 +1168,10 @@
        "type": "github"
      }
    },
-    "nixpkgs_9": {
-      "locked": {
-        "lastModified": 1777918403,
-        "narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "afc5551119aae6eab73a95c1960891cfe63204f6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nur": {
      "inputs": {
        "flake-parts": "flake-parts_4",
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1778156530,
@@ -1096,6 +1187,29 @@
        "type": "github"
      }
    },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat_4",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765016596,
+        "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_3",
@@ -1130,10 +1244,11 @@
        "impermanence": "impermanence",
        "import-tree": "import-tree",
        "lan-mouse": "lan-mouse",
+        "lanzaboote": "lanzaboote",
        "mango": "mango",
        "nixcord": "nixcord",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
        "nixpkgs-stable": "nixpkgs-stable",
        "nur": "nur",
        "sops-nix": "sops-nix",
@@ -1187,6 +1302,27 @@
      }
    },
    "rust-overlay_3": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765075567,
+        "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_4": {
      "inputs": {
        "nixpkgs": [
          "wezterm-flake",
@@ -1230,7 +1366,7 @@
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
        "lastModified": 1777944972,
@@ -1349,7 +1485,7 @@
    },
    "treefmt-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_10"
+        "nixpkgs": "nixpkgs_11"
      },
      "locked": {
        "lastModified": 1775636079,
@@ -1410,7 +1546,7 @@
    },
    "vicinae-extensions": {
      "inputs": {
-        "flake-compat": "flake-compat_5",
+        "flake-compat": "flake-compat_6",
        "nixpkgs": [
          "nixpkgs"
        ],
@@ -1440,7 +1576,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_3",
+        "rust-overlay": "rust-overlay_4",
        "zlib": "zlib"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@@ -57,5 +57,6 @@
    awww.url = "git+https://codeberg.org/LGFae/awww";
    nixcord.url = "github:kaylorben/nixcord";
    nur.url = "github:nix-community/nur";
+    lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
  };
 }
--- a/modules/hm/desktop/mango.nix
+++ b/modules/hm/desktop/mango.nix
@@ -17,6 +17,10 @@
            "name:DP-1, width:1080, height:1920, refresh:144, x:4000, y:0, vrr:0, rr:3"
          ];

+          focus_cross_monitor = 1;
+          exchange_cross_monitor = 1;
+          drag_tile_to_tile = 1;
+
          # Keyboard
          repeat_rate = 25;
          repeat_delay = 600;
@@ -100,6 +104,7 @@
            # apps
            "SUPER, Return, spawn, wezterm"
            "SUPER, Space, spawn, vicinae toggle"
+            "SUPER, D, spawn, vesktop"
            "SUPER, B, spawn, brave"
            "SUPER, V, spawn, vicinae vicinae://extensions/vicinae/clipboard/history"
            "SUPER+SHIFT, W, spawn, vicinae vicinae://extensions/sovereign/awww-switcher/wpgrid"
@@ -140,25 +145,25 @@
            "SUPER, Down, focusdir, down"

            # switch view
-            "SUPER, 1, view, 1, 0"
-            "SUPER, 2, view, 2, 0"
-            "SUPER, 3, view, 3, 0"
-            "SUPER, 4, view, 4, 0"
-            "SUPER, 5, view, 5, 0"
+            "SUPER, 1, view, 1, 1"
+            "SUPER, 2, view, 2, 1"
+            "SUPER, 3, view, 3, 1"
+            "SUPER, 4, view, 4, 1"
+            "SUPER, 5, view, 5, 1"

            # move client to the tag with focus
-            "SUPER+SHIFT, 1, tagsilent, 1, 0"
-            "SUPER+SHIFT, 2, tagsilent, 2, 0"
-            "SUPER+SHIFT, 3, tagsilent, 3, 0"
-            "SUPER+SHIFT, 4, tagsilent, 4, 0"
-            "SUPER+SHIFT, 5, tagsilent, 5, 0"
+            "SUPER+SHIFT, 1, tagsilent, 1, 1"
+            "SUPER+SHIFT, 2, tagsilent, 2, 1"
+            "SUPER+SHIFT, 3, tagsilent, 3, 1"
+            "SUPER+SHIFT, 4, tagsilent, 4, 1"
+            "SUPER+SHIFT, 5, tagsilent, 5, 1"

            # move client to the tag without focus
-            "SUPER+ALT, 1, tag, 1, 0"
-            "SUPER+ALT, 2, tag, 2, 0"
-            "SUPER+ALT, 3, tag, 3, 0"
-            "SUPER+ALT, 4, tag, 4, 0"
-            "SUPER+ALT, 5, tag, 5, 0"
+            "SUPER+ALT, 1, tag, 1, 1"
+            "SUPER+ALT, 2, tag, 2, 1"
+            "SUPER+ALT, 3, tag, 3, 1"
+            "SUPER+ALT, 4, tag, 4, 1"
+            "SUPER+ALT, 5, tag, 5, 1"
          ];

          # Window effect
--- a/modules/hm/shell/opencode.nix
+++ b/modules/hm/shell/opencode.nix
@@ -1,24 +1,34 @@
 {
-  flake.modules.homeManager.shell = {
-    programs.opencode = {
-      enable = true;
-      tui = {
-        theme = "system";
-      };
-      settings = {
-        provider = {
-          openrouter = {
-            options = {
-              apiKey = "{file:/run/secrets/open_router_api_key}";
+  flake.modules.homeManager.shell =
+    {
+      osConfig ? { },
+      ...
+    }:
+    {
+      programs.opencode = {
+        enable = true;
+        tui = {
+          theme = "system";
+        };
+        settings = {
+          provider = {
+            google = {
+              options = {
+                apiKey = "{file:${osConfig.sops.secrets.gemini-api-key.path}}";
+              };
            };
-          };
-          opencode-go = {
-            options = {
-              apiKey = "{file:/run/secrets/open_code_go_api_key}";
+            openrouter = {
+              options = {
+                apiKey = "{file:${osConfig.sops.secrets.openrouter-api-key.path}}";
+              };
+            };
+            opencode-go = {
+              options = {
+                apiKey = "{file:${osConfig.sops.secrets.opencode-go-api-key.path}}";
+              };
            };
          };
        };
      };
    };
-  };
 }
--- a/modules/hosts/sirius/config.nix
+++ b/modules/hosts/sirius/config.nix
@@ -10,13 +10,15 @@
    {

      imports = with config.flake.modules.nixos; [
+        boot
        networking
        desktop
        virtualisation
      ];

      tnix = {
-        services.openssh.enable = true;
+        boot.secure-boot.enable = true;
+        networking.openssh.enable = true;

        virtualisation = {
          docker.enable = true;
@@ -33,31 +35,29 @@
          neededForUsers = true;
        };

-        openrouter_api_key = {
+        gemini-api-key = {
          sopsFile = ./secrets.yaml;
          owner = userName;
        };

-        opencode_go_api_key = {
+        openrouter-api-key = {
          sopsFile = ./secrets.yaml;
          owner = userName;
        };

-        "vicinae.json" = {
+        opencode-go-api-key = {
+          sopsFile = ./secrets.yaml;
+          owner = userName;
+        };
+
+        vicinae-json = {
          sopsFile = ./secrets.yaml;
          owner = userName;
        };
      };

      # --- Boot ---
-      boot = {
-        loader = {
-          systemd-boot.enable = true;
-          efi.canTouchEfiVariables = true;
-        };
-        kernelPackages = pkgs.linuxKernel.packages.linux_zen;
-        kernelParams = [ "nvidia-drm.modeset=1" ];
-      };
+      boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen;

      # --- Networking ---
      networking = {
@@ -88,6 +88,7 @@
          nvidiaSettings = true;
        };
      };
+      boot.kernelParams = [ "nvidia-drm.modeset=1" ];
      nixpkgs.config.cudaSupport = true;
      services.xserver.videoDrivers = [ "nvidia" ];
      environment.systemPackages = with pkgs; [ nvtopPackages.full ];
--- a/modules/hosts/sirius/secrets.yaml
+++ b/modules/hosts/sirius/secrets.yaml
@@ -1,8 +1,8 @@
 tux-password: ENC[AES256_GCM,data:EJFFMc0W1YvCLINg4kETlUbqMYSfRTsiRuoB5MybaVwl7bbBXyPFo/MspFFMXpAqSPrzRAPaM8Lxk9ndbjt7gZpSu1dPThq36Q==,iv:zn3UUMOcW09u6KTz87tDr1wfmsLMKIRBDpLfQhg0p14=,tag:AOs7NASXeo98mNKqsYP3Ww==,type:str]
-gemini_api_key: ENC[AES256_GCM,data:agH39C8hXX1jKYq03Z70aHHfrKSbNnHJfndMB53YJgWEzban7uMA,iv:fnYOySXisW1n6Moad9xBoRQFtRa/J6zTcp0lAMEtguw=,tag:0ENL4uu+8OpNc9X+hy7SiQ==,type:str]
-openrouter_api_key: ENC[AES256_GCM,data:VBhV4NcR+7O7X2/OpN2yAGnfcSS2o3Zbvr5g3LHjdUixNSq8OZupsT9SVJDGE/RJp6nunPnYo4K8qQP2+m3K3aeQYKIyT5KNTg==,iv:CVLnloUsobanpHOuP31eIGpGoJOODukGaEmQRF+RPGw=,tag:DdEtCHMPwIIbdwZis4lQgg==,type:str]
-opencode_go_api_key: ENC[AES256_GCM,data:F7WXUHDX+pESqQJ4Sg5lNXqHLvsCd1bDFPZOutuacDFu3wLHs8i0kD/rLZ+m78OmRBRv2P3kf/gJsggtkvLC/PADYQ==,iv:23soYOeKC+CvLqwvP0M+uXICBKLsOs3z8g6iUhxzrpY=,tag:2EhgRFUaHsyNJ6TqYXJYzw==,type:str]
-vicinae.json: ENC[AES256_GCM,data:qRv0EUwtS6bK9memOG3BqLf1uE5YNlpSC/p/05sb8Fw6skESaiymo584n5N8vkvGCn2Qjv/6ioJzwP4TieGtPoR1pHXkwTTGdzsnbRoU0bMuTUhD+NUBkjo2men7Yy3ljoNoopmgz9UFfps+EWuZSMmsNgIu/4sMXsNKcpDKcd8vLpXlPogwqUtbzuKw+u4RRzox0GB0QNEGcQ/F6dVKxJ2StDI8Bfy6qovEDUnK0snoCLhvAULwYwTKef8GpkCWVQRWxXk+dA4GjtgPuiABesv82gCsmsvzmfE3LLUqw+SfYgyQIXBL0IxFiULnkYZR7wmpUeWer3VCS1D8mv/0lvmcdvMqILgkV3UqXTrPqA==,iv:v7zh1tae6TFWOYms/7ihBdoJmw3z4jhcq9aV5y46aXc=,tag:2IKxst4I1XpAHp1wkOMYNA==,type:str]
+gemini-api-key: ENC[AES256_GCM,data:Ehj/rDrYKqMcA8b49K7WGjWqTqnrphfFaT2H9dxSw3KyQNEbyTHG,iv:6Av7LlS5VT+9nLMlSfTjmiMx0pp44BPQW3mNmLi+uIE=,tag:Eta0moveaDoBL52DktPF+w==,type:str]
+openrouter-api-key: ENC[AES256_GCM,data:v0wOsERSPpYnogfpbFqo1gQvOJlECKHHliIk3IXtQ3A043cK+X846qI9/MM3DSkvlFDTyc63Si8/zPuh3MGCsMrXxRmHCILDmA==,iv:C4Qk+23Vv0Q+Tl+BjwzS7aSUkQtY+mgLWfx8lprJ4CE=,tag:DhcVXKQxxBqvlr7lc5MRlg==,type:str]
+opencode-go-api-key: ENC[AES256_GCM,data:34aVZvk6zHnh6iOKHZVvLT0qt3IFR9yu8fuVh7lubHL3YNdifbFoW/jJ3FIKWqU9HvTFhO6opIYI9h5Zpip+TbagLg==,iv:xQbeP8P0QutSC9iCRDeCupBYaJrDronl7RqNPJADkjw=,tag:upco9ewspSqJdV+aKqVnwA==,type:str]
+vicinae-json: ENC[AES256_GCM,data:utkOJg/x89+AjQlc8WZ8Z0SmZET4yR16J6MgQ/LYt7galvHT9ybzjV3R7FoBG5GLNQYHAM13pc2290pJ3apivyodlFNBqoyuuDYP0t+HgHuOH67P6YXUHR5ROYRvW2GAZm/AcMrlHwCMUmgUtf4mXttskvqyuxQrIYhi0nfNa1mVY3df2x7RF+cJGWPLDF4K8YI5sFE4ctkLfREGI40OCGM0An0PJliwrFXgRZvYd5gohT1XAS/dEemB4uegGUJ6To/1KD2kI1tzsETflTPzrkSEcMt1MtDEjGKI+qdTSZQU2H66nqQ8TJKvR6WxnvXUR69vjgTSsPZ7Sk78gI1sbXe2cSc48lrP5Z1o7dqO0A==,iv:7REKeCdIQGXZWjuiTpZRpzG4wu3/+pO003gX62r5CRc=,tag:dWXji9Ub41dEKP4FXRodSg==,type:str]
 sops:
    age:
        - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
@@ -23,7 +23,7 @@ sops:
            UGpKTHZTT2JZU0xaTHhhRjk2bEhaU1EKutUEk+TMTATHEoM9+MOdkUnIoBMeeDfu
            +GGKvInVKkAOtujBtSMj+xM8AEcfaHAFtwTgP/HEk3Hu6v7gp14oew==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-07T13:21:48Z"
-    mac: ENC[AES256_GCM,data:VWNmixzidftm4u0lUt5yL9rlvQXOXVT1+A6b/6IyO9WsWi5aM67t9l9phwRxLYad1lLL/epDmJyIJQ0ck01CzQ/hFm2mnMk87ofrwbph3GVdvrYj+2dDkzIBCwDUe/p4rkrTSo87FVJZ8NvrndbBLX3pq7Axjeo92b3Zxfxg+L8=,iv:IqCOBV5EICtO1hRO07Df0fgobO+/biS8O/4lva7NfEg=,tag:vPltr8g61OdKK4XXFyJdgQ==,type:str]
+    lastmodified: "2026-05-07T23:53:28Z"
+    mac: ENC[AES256_GCM,data:AGccISYxtma2i44KcG3y2pYP+toL/NC9crTR26M+BZs0lh0fbWxJyfOQITOaPo7VQb0nhgPDJm6M9oRvIQUYawOBMpPr1BtLfen3nKbs6cspQERZAEPv/vU98Vm0hGHbjjxteq5wX2eRjuCGRhthYJ0ppDE26QNEDesNpXH92mo=,iv:sDBjBFY4CFuSpU1HAfissqUB/7+K1VUWXhhGvF5xJNk=,tag:nNgYFMKs3/d5ZMOlJ08Amg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
--- a/modules/nixos/boot/loader.nix
+++ b/modules/nixos/boot/loader.nix
@@ -0,0 +1,5 @@
+{
+  flake.modules.nixos.boot = {
+    boot.loader.efi.canTouchEfiVariables = true;
+  };
+}
--- a/modules/nixos/boot/secure-boot.nix
+++ b/modules/nixos/boot/secure-boot.nix
@@ -0,0 +1,35 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.boot =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    let
+      cfg = config.tnix.boot;
+    in
+    {
+      imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+
+      options.tnix.boot.secure-boot = {
+        enable = lib.mkEnableOption "Enable secure-boot";
+      };
+
+      config = lib.mkIf cfg.secure-boot.enable {
+        environment.systemPackages = [
+          pkgs.sbctl
+        ];
+
+        # Lanzaboote currently replaces the systemd-boot module.
+        boot.loader.systemd-boot.enable = lib.mkForce false;
+
+        boot.lanzaboote = {
+          enable = true;
+          configurationLimit = 10;
+          pkiBundle = "/var/lib/sbctl";
+        };
+      };
+    };
+}
--- a/modules/nixos/networking/ssh.nix
+++ b/modules/nixos/networking/ssh.nix
@@ -7,10 +7,10 @@
    }:
    with lib;
    let
-      cfg = config.tnix.services.openssh;
+      cfg = config.tnix.networking.openssh;
    in
    {
-      options.tnix.services.openssh = {
+      options.tnix.networking.openssh = {
        enable = mkEnableOption "Enable OpenSSH server";

        ports = mkOption {
Author	SHA1	Message	Date
tux	4f5e1a0a56	refactor: update ssh module to use networking namespace	2026-05-08 07:22:18 +05:30
tux	7eb7ea75c0	feat(config): set lanzaboote configurationLimit to 10	2026-05-08 05:31:54 +05:30
tux	5bfa9f1e09	refactor(config): standardize secret names for API keys	2026-05-08 05:31:18 +05:30
tux	e28d1acb5e	refactor: seperate loader module	2026-05-08 05:14:03 +05:30
tux	3efd212f04	feat: setup secure-boot	2026-05-08 05:09:38 +05:30
tux	718ee760cd	feat(mangowm): update montor config	2026-05-08 04:31:05 +05:30